4 GENERAL CONCEPTS ............................................................................................................................................ 11
Zagrebačka banka d.d. – Qualified Electronic Time-Stamping Authority Practice Statement
v1.2 from 10.9.2019. page 3
PUBLIC
1 INTRODUCTION
Zagrebačka banka d.d. (hereinafter referred to as: Bank) has business opportunity to offer to their individual and corporate clients, products and services on direct channels for which handwritten signature is mandatory and notary services in not obligatory. According to legal regulation in Croatia and EU, Qualified electronic signature is the equivalent of handwritten signature.
Bank implement PKI (Public Key Infrastructure) – Zaba QPKI with aim to issue Qualified Certificates to their clients and provide Qualified Trust Services:
Qualified Electronic Signature for natural persons,
Qualified Electronic Seal for legal persons and
Qualified Electronic Time-Stamp.
Qualified Certificates for electronic signatures and seals will be used for clients transactions authorization, which ensures data integrity and authenticity of origin. Qualified electronic timestamp will be primarily used for time-stamping and long time validity of Qualified electronic signatures and seals.
Qualified Trust Services are regulated by Law on electronic signature and eIDAS - EU regulation No. 910/2014 on electronic identification and trust services for electronic transactions in the European internal market, and this Practice Statement is in compliance with these regulation.
Scope of this Practice Statement is Zaba QTSA system with focus on Qualified Electronic Time-Stamp.
This Practice Statement will be published on Bank’s website.
1.1. Overview
1.1.1. Hierarchy in Zaba QPKI
Hierarchical structure of Zaba QPKI is based on Zaba Root QCA and two-tier architecture of production Certification Authorities (hereinafter referred to as: "CA"):
Zaba Root QCA issued a self-signed Zaba Root QCA certificate and certificates to its subordinate CA Zaba QCA.
Scope of Certificate Policy and certification statement practices is Zaba Root QCA and complete Zaba QPKI hierarchy based on Zaba Root QCA.
Zaba QCA is CA (hereinafter referred to as: "Zaba QCA") who issue certificates for Subscribers.
Zagrebačka banka d.d. – Qualified Electronic Time-Stamping Authority Practice Statement
v1.2 from 10.9.2019. page 4
PUBLIC
Certificate hierarchy in Zaba QPKI
Policy and practices documents hierarchy in Zaba QPKI
1.1.2. Certificate Policy and Practice Statement scope and purpose
Purpose of Certificate Policy for Qualified Trust Services is to define basic rules and principles of certification services for all PKI participants on the basis of which Bank as a Qualified Trust Service Provider shall provide Qualified Certificate issuing services for electronic signatures and Qualified Certificate issuing services for electronic seals.
Scope of this Practice Statement is Qualified Electronic Time-Stamping Service provided by Bank, for which the TSU signature verification (public) key certificate should be issued by Zaba QCA - certification authority operating under ETSI EN 319 411-2 standard.
Bank notify all their clients, which are using Qualified Trust Services from Bank, on rules and principles defined in this Practice Statement.
Practice Statement is approved by Zaba PMA and will be published on Bank’s website http://www.zaba.hr/cps.
Zaba Root QCA
1.3.6.1.4.1.47380.1.5.3.2
Zaba QCA
1.3.6.1.4.1.47380.2.3.4.2
Zaba QCA certificates for natural persons
------
Qualified Certificates for electronic signature on
QSCD(QCP-n-qscd)
1.3.6.1.4.1.47380.5.6.2.2
Zaba QCA certificates for legal persons
-----
Qualified Certificates for electronic seal on QSCD(QCP-l-qscd)
1.3.6.1.4.1.47380.5.4.3.2
Zaba QCA certificates for Bank's IT equipment
------
Certificate for signing response from OCSP service (NCP+) Zaba
QOCSP1.3.6.1.4.1.47380.5.2.4.1
Certificate for time-stamping Zaba QTSA
(NCP+)
1.3.6.1.4.1.47380.5.2.5.3
Certificate for signing response from OCSP
service (NCP+) Zaba Root QOCSP
1.3.6.1.4.1.47380.2.5.1.2
Certificate Policy for Qualified Trust Services
1.3.6.1.4.1.47380.1.5.1.1
Certification Practice Statement for Qualified Certificate for electronic
Zagrebačka banka d.d. – Qualified Electronic Time-Stamping Authority Practice Statement
v1.2 from 10.9.2019. page 5
PUBLIC
1.1.3. Certificate types
Bank as Qualified Trust Service Provider issue these groups of certificates in the scope of Certificate Policy for Qualified Trust Services and this Practice Statement:
Zaba QCA certificates for natural persons;
Zaba QCA certificates for legal persons;
Zaba QCA certificates for Bank's IT equipment;
The following table show groups and types of Qualified Certificates from the scope of this Certificate Policy:
Group of certificates: Certificate type: CP OID:
Zaba QCA certificates for natural
persons EU Qualified Certificates for electronic
signature on QSCD (QCP-n-qscd) 1.3.6.1.4.1.47380.5.6.2.2
Zaba QCA certificates for legal
persons EU Qualified Certificates for electronic seal
on QSCD (QCP-l-qscd) 1.3.6.1.4.1.47380.5.4.3.2
Zaba QCA certificates for Bank's
IT equipment Certificate for signing response from OCSP
service (NCP+) 1.3.6.1.4.1.47380.5.2.4.1
Certificate for time-stamping service
(NCP+)
1.3.6.1.4.1.47380.5.2.5.3
1.2. Document name and identification
IANA (Internet Assigned Numbers Authority) assigned OID to Bank: 1.3.6.1.4.1.47380.
Document name: Qualified Electronic Time-Stamping Authority Practice Statement
Verzija: 1.2
Approvement date: 10.9.2019.
Effective date: 25.11.2019.
OID: 1.3.6.1.4.1.47380.1.5.3.1
Document is published on URL: http://www.zaba.hr/cps
1.3. PKI participants
Parcticipants within Zaba QPKI are:
Policy Management Authority, PMA;
Certification Authority, CA;
Registration Authority, RA;
Time-Stamp Authority TSA,
Subscribers;
Relying Parties;
other participants:
o IT providers for hardware and software for PKI;
o cryptography devices providers (HSM, smart cards);
o other authorities;
1.3.1. Policy Management Authority
Security department in Bank is responsible for Certificate Policy (hereinafter referred as: Zaba PMA). Zaba PMA is responsible for development, implementation and maintenance of Certificate Policy, Certification Practice Statement for Qualified Certificates for electronic signature and seals, Qualified Electronic Time-Stamping Authority Practice Statement and other documentation for Zaba QPKI.
1.3.2. Certification authorities
Certification authorities in Zaba QPKI under this Certificate Policy are Zaba Root QCA and Zaba QCA.
Representations and warranties of Certificate authorities are described in Certificate Policy for Qualified Trust Services.
Zagrebačka banka d.d. – Qualified Electronic Time-Stamping Authority Practice Statement
v1.2 from 10.9.2019. page 6
PUBLIC
1.3.3. Registration authorities
Subscriber registration for Bank's Qualified Certificates shall be performed in Bank Registration Authorities.
Zaba QPKI Registration authorities (hereinafter referred as: Zaba RA) are Bank's branches.
In Zaba RA registration processes are performed by Bank's employees in branches responsible for RA processes (hereinafter referred as: RA officers).
Zaba RA shall perform registration authority tasks in compliance with this Certificate Policy.
Representations and warranties of Registration authorities are described in Certificate Policy for Qualified Trust Services.
1.3.4. Provider of Qualified Electronic Time-Stamping services
Bank uses Zaba QTSA to provide its Qualified Electronic Time-Stamping Service used for time-stamping and long time validity of Qualified electronic signatures and seals. Bank shall provide Qualified electronic time-stampingService for Subscribers of Qualifed Certificates for electronic signature and seal. Bank shall not provide Qualified Electronic Time-Stamping Service separately from Qualifed Certificates for electronic signature and seal.
1.3.5. Subscribers
Subscriber is Bank's client - a legal or a natural person that has, by concluding an agreement with Bank as a Qualified Trust Service Provider, taken over the contractual obligations of the Subscriber.
In order to use a certification service, Subscribers shall complete the registration procedure and submit their applications, as well as accept Subscriber obligations and responsibilities described in Certificate Policy for Qualified Trust Services. Subscribers shall conclude the Subscriber Agreement with Bank, as a legal base for issuing Qualified Certificate.
Subscribers for Qualified Certificates are Subscribers for Qualified Time-Stamps, used for time-stamping and long time validity of Qualified electronic signatures and seals.
1.3.6. Relying parties
Relying Parties are natural or legal persons that rely upon a Qualified Trust Service. Relying Parties, based on the certificate, shall conduct validation of the electronic signature or seal, and act based on reasonable reliance on the certificate.
Representations and warranties of relyling parties are described in Certificate Policy for Qualified Trust Services.
1.3.7. Other participants
Other participants of Zaba QPKI are legal persons that are not using Qualified Trust Services, but they are participants in processes that supports Qualified Trust Services. Other participants are: IT providers for hardware and software for PKI, cryptography devices providers (HSM, smart cards), conformity assessments bodies and other authorities.
1.4. Certificate usage
The Relying Party shall be responsible for accepting and realization of reasonable confidence in the certificate. The Relying Party should apply following criteria for acceptance of certificate:
legal requirements related to electronic signature or seal;
all information from certificate, Certificate Policy, certificate practice statement and other documents;
potential impact or loss, caused by fraudulent activities in transaction ro communication;
any information on compliance or non-compliance related to subject, implemented IT solution, communication or transaction;
1.4.1. Appropriate certificate uses
A key pair shall not be used for any other purpose except the one for that it is generated. The certificate indicates the key usage.
1.4.1.1 Certificate for time-stamping service and Qualified Time-Stamps
Zaba QCA certificate for time-stamping service is a NCP+: Normalized Certificate using a secure cryptographic device (HSM) for time-stamp service and it is in compliance with ETSI/EN 319 411-3 and can
Zagrebačka banka d.d. – Qualified Electronic Time-Stamping Authority Practice Statement
v1.2 from 10.9.2019. page 7
PUBLIC
be used for issuing Qualified Time-Stamps only. This certificate guarantees electronic identity for Zaba QTSA service.
Extension keyUsage for this certificate is critical and value is set on digitalSignature and nonRepudation, and has additional extension extKeyUsage mark as critical and value is set on timeStamping.
Qualified Time-Stamps issued by Zaba QTSA may be used for any purpose requiring evidence of the existence of a particular data in electronic form in the time specified in the issued time-stamp and should provide long term validity for electronically signed or sealed documents.
1.4.2. Prohibited certificate uses
Except for the appropriated use of certificates described in Section 1.4.1 hereof, all other use of certificates issued in line with Certificate Policy for Qualified Trust Services and this Practice Statement shall be prohibited.
Bank recommends to the Relying Parties to check OIDs of certificates referred in Section 1.1.2. hereof.
1.5. Policy Administration
Contact details for administration and content of this Practice Statement are given below:
Practice Statement is published on: http://www.zaba.hr/cps
Zaba PMA is responsible for development, implementation and maintenance of Certificate Policy, Certification Practice Statement for Qualified Certificates for electronic signature and seals, Qualified electronic time-stampingAuthority Practice Statement and other documentation for Zaba QPKI.
Zagrebačka banka d.d. – Qualified Electronic Time-Stamping Authority Practice Statement
v1.2 from 10.9.2019. page 8
PUBLIC
2 REFERENCES
Core legislation
Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC
Act Implementing Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Council Directive 1999/93 / EC (Croatian Official Gazette (hereinafter referred to as Official Gazette) 62/2017)
Subordinate Regulations
Commission Implementing Decision (EU) 2015/1505 of 8 September 2015 laying down technical specifications and formats relating to trusted lists pursuant to Article 22(5) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market
Commission Implementing Decision (EU) 2016/650 of 25 April 2016 laying down standards for the security assessment of Qualified signature and seal creation devices pursuant to Articles 30(3) and 39(2) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market
Other legislation
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
Standardization Documents
ETSI EN 319 421 V1.1.1 (2016-03) Electronic Signatures and Infrastructures (ESI); Policy and Security Requirements for Trust Service Providers issuing Time-Stamps
ETSI EN 319 422 V1.1.1 (2016-03) Electronic Signatures and Infrastructures (ESI); Time-stamping protocol and time-stamp token profiles
ISO/IEC 27001:2013 – Information technology – Security techinques – Information security management
ISO/IEC 27002:2013 – Information technology – Security techinques – Code of practice for information security management
FIPS PUB 140-2, Minimum level 2 – Federal Information Processing Standards Publication 140-2 – Security requirements for cryptographic modules, minimum level 2
ETSI EN 319 401 V2.1.1. (2016-02) – Electronic Signatures and Infrastructures (ESI); General Policy Requirements for Trust Service Providers
ETSI EN 319 411-1 V1.1.1. (2016-02) – Electronic Signatures and Infrastructures (ESI); Policy and security requirements for Trust Service Providers issuing certificates; Part 1: General requirements
ETSI EN 319 411-2 V2.1.1. (2016-02) – Electronic Signatures and Infrastructures (ESI); Policy and security requirements for Trust ServiceProviders issuing certificates; Part 2: Requirements for trust service providers issuing EU Qualified Certificates
ETSI TS 119 312 – Electronic Signatures and Infrastructures (ESI); Cryptographic Suites
Zagrebačka bank's documents
Certification Policy for Qualified Trust Services
Certification Practice Statement for Qualified Certificates for Electronic Signatures and Seals
Qualified Electronic Time-Stamping Authority Practice Statement
Zagrebačka banka d.d. – Qualified Electronic Time-Stamping Authority Practice Statement
v1.2 from 10.9.2019. page 9
PUBLIC
3 DEFINITIONS, SYMBOLS AND ABBREVIATIONS
3.1. Definitions
Audit log journal - Set of records to log automatically events that are relevant in compliance with Regulation
(EU) No910/2014.
Authorised Representative - Natural person authorised legally or by proxy to represent the Creator of a seal
in the issuance procedure and/or revocation of the Certificate for the Electronic Seal.
Certificate revocation - An action that makes a certificate irrevocably invalid from the moment of revocation.
Certificate Revocation List - Signed list indicating a set of certificates that are no longer considered valid by
the certificate issuer.
Certification Authority - Authority trusted by one or more users to create and assign public-key
certificates.Certification Authority may be:
1. a trust service provider that creates and assigns public key certificates; or
2. a technical certificate generation service that is used by a certification service provider that creates
and assign public key certificates.
Certification Practice Statement - Statement of the practices which a Certification Authority employs in
issuing managing, revoking, and renewing or re-keying certificates.
Coordinated Universal Time - Second-based time scale as defined by ITU-R Recommendation
(UTC) TF.460-5. For most practical applications, UTC is equivalent to mean solar time of the Prime
Meridian (0°). More precisely, UTC is a compromise between the very stable atomic time (fr. Temps Atomique
International - TAI) and solar time derived from irregular Earth's rotation (in relation to the agreed Greenwich
mean sidereal time (GMST)).
Cryptographic module - Software or device of a certain security level which shall:
generate a key pair and/or
protect cryptographic information, and/or
perform cryptographic functions.
Distinguished Name (DN) - A unique name of the Subject entered in the certificate. The distinguished name
uniquely identifies the Subject to whom the certificate is issued and it is unique within one CA.
Electronic Time-Stamp - Data in electronic form which binds other data in electronic form to a particular time
establishing evidence that the latter data existed at that time.
Policy Management Authority - Body with final authority and responsibility for specifying and (PMA)
approving the Certificate Policy.
Qualified Electronic Time-Stamp - Electronic Time-Stamp that meets the following requirements:
it binds the date and time to data in such a manner as to reasonably preclude the possibility of the
data being changed undetectably;
it is based on an accurate time source linked to Coordinated Universal Time; and
it is signed using an advanced electronic signature or sealed with an advanced electronic seal of the
qualified trust service provider, or by some equivalent method.
Qualified Trust Service Provider - Trust Service Provider that provides one or more qualified trust services
and is granted the qualified status by the supervisory body.
Relying Party - Natural or legal person that relies upon an electronic identification or a trust service.
Subscriber - Legal or natural person bound by agreement with a trust service provider to any Subscriber
obligations.
Zagrebačka banka d.d. – Qualified Electronic Time-Stamping Authority Practice Statement
v1.2 from 10.9.2019. page 10
PUBLIC
Time-stamp - data in electronic form which binds other electronic data to a particular time establishing
evidence that these data existed at that time.
Time-stamp Policy - named set of rules that indicates the applicability of a time-stamp to a particular
community and/or class of application with common security requirements.
Time-Stamping Authority (TSA) - TSP providing time-stamping services using one or more time-stamping
units.
Time-Stamping Service - trust service for issuing time-stamps.
Time-Stamping Unit (TSU) - set of hardware and software which is managed as a unit and has a single time-
stamp signing key active at a time.
Trust Service Provider - A natural or a legal person who provides one or more trust services either as a
qualified or as a non-qualified trust service provider.
TSA Disclosure Statement - set of statements about the policies and practices of a TSA that particularly
require emphasis or disclosure to subscribers and relying parties, for example to meet regulatory requirements.
TSA Practice Statement - statement of the practices that a TSA employs in issuing time-stamp.
TSA system - Composition of IT products and components organized to support the provision of time-
stamping services.
Zaba QPKI – PKI implemented in Bank for providing Qualified Trust Services.
Zagrebačka banka d.d. – Qualified Electronic Time-Stamping Authority Practice Statement
v1.2 from 10.9.2019. page 11
PUBLIC
4 GENERAL CONCEPTS
An electronic time-stamp is a piece of data in electronic form which binds other electronic data to a particular time establishing evidence that these data existed at that time. Electronic time-stamp issued by Qualified Trust Service Provider binds hash value of data document with accurate date and time. Time Stamp Authority signs time-stamp with their certificate and ensure integrity of time-stamp and identified itself as Time Stamp Authority.
Qualified Electronic Time Stamp shall meet the following requirements:
it binds the date and time to data in such a manner as to reasonably preclude the possibility of the data being changed undetectably;
it is based on an accurate time source linked to Coordinated Universal Time; and
it is signed using an advanced electronic signature or sealed with an advanced electronic seal of the qualified trust service provider, or by some equivalent method.
4.1. General Policy Requirements Concepts
Bank as Qualified Trust Services Provider shall issue Qualified Electronic Time-Stamp in compliance with Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and standardization documents:
ETSI EN 319 421 V1.1.1 (2016-03) Electronic Signatures and Infrastructures (ESI); Policy and Security Requirements for Trust Service Providers issuing Time-Stamps and
ETSI EN 319 422 V1.1.1 (2016-03) Electronic Signatures and Infrastructures (ESI); Time-stamping protocol and time-stamp token profiles.
Purpose of this Practice Statement is to define basic rules and principles of Qualified Eleectronic Time-Stamp services for all PKI participants.
4.2. Time-Stamping Services
The provision of time-stamping services is broken down into the following component services:
Time-stamping provision: This service component generates time-stamps.
Time-stamping management: This service component monitors and controls the operation of the time-stamping services to ensure that the service provided is as specified by the TSA. This service component has responsibility for the installation and de-installation of the time-stamping provision service.
Bank shall ensure that the Zaba QTSA system’s time is correctly synchronized with the UTC time within the accuracy limits.
4.3. Time-Stamping Authority (TSA)
A Trust Service Provider (TSP) providing time-stamping services to the public, is called the Time-Stamping Authority (TSA). The TSA has overall responsibility for the provision of the time-stamping services identified in Section 4.2. The TSA has responsibility for the operation of one or more TSUs which creates and signs on behalf of the TSA.
Zaba QTSA shall operate single TSU.
4.4. Subscriber
Bank's clients natural and legal persons - Subscribers for Qualified Certificates for electronic signature and seal are Subscribers for Qualified Electronic Time-Stamps, used for time-stamping and long time validity of Qualified electronic signatures and seals.
The Subscribers shall conclude a Certification Service Agreement with Bank, whereby they shall accept this Certificate Policy and Certification Services Terms and Conditions. This Agreement shall include Terms and Conditions for Qualified Elelctronic Time-Stamp service.
Zagrebačka banka d.d. – Qualified Electronic Time-Stamping Authority Practice Statement
v1.2 from 10.9.2019. page 12
PUBLIC
5 TIME-STAMPING POLICIES
Time-Stamping Policy in Zaba QPKI is Certificate Policy for Qualified Trust Services, which scope is all Qualified Trust Services that Bank provide.
This document Qualified Electronic Time-Stamping Authority Practice Statement has OID: 1.3.6.1.4.1.47380.X.X.X.X and it represents TP OID which is included in each Qualified Electronic Time-Stamp.
CP OID for time-stamp certificate in Zaba QPKI is: 1.3.6.1.4.1.47380.5.2.5.3
Zagrebačka banka d.d. – Qualified Electronic Time-Stamping Authority Practice Statement
v1.2 from 10.9.2019. page 13
PUBLIC
6 POLICIES AND PRACTICES
6.1. Risk assessment
Risk assessment for Qualified Elelctronic Time-Stamp service is performed and documented in separate document „Risk Assessment in Zaba QPKI“.
6.2. Trust Service Practice Statement
This Practice Statement address:
a) at least one hashing algorithm used to represent the datum being time-stamped;
b) the accuracy of the time in the time-stamps with respect to UTC;
c) any limitations on the use of the time-stamping service;
d) the subscriber's obligations;
e) the relying party's obligations;
f) information on how to verify the time-stamp such that the relying party is considered to "reasonably rely" on the time-stamp and any possible limitations on the validity period;
Key statements for Subscribers is presented in TSA Disclosure Statement.
6.3. Terms and conditions
The Subscribers shall conclude a Certification Service Agreement with Bank, whereby they shall accept this Certificate Policy and Certification Services Terms and Conditions. This Agreement shall include Terms and Conditions for Qualified Elelctronic Time-Stamp service. In addition to Terms and Conditions, Bank will publish TSA Disclosure Agreement with key statements for Subscribers.
6.4. Information security policy
Information Security principles are described in Bank’s internal acts Information Security Policy and Rulebook on Information Security.
6.5. TSA Obligations
Bank as the Qualified Trust Service Provider shall be responsible for:
proper authentication of natural and legal persons with the aim of certificate issuance,
issuing certificates in a secure manner in order to preserve their authenticity and accuracy,
compliance with its obligations.
In addition to these obligations Bank as Qualified electronic time-stampingAuthority shall provide its time-stamping services in accordance with Regulation (EU) No. 910/2014, Act Implementing Regulation (EU) no. 910/2014, the relevant standardization documents and recommendations, this Certificate Policy, Qualified electronic time-stampingAuthority practice statement and other relevant internal documentation.
Bank is responsible for the application used for implementation of Qualified Electronic Time Stamp to ensure complete interoperability with Zaba QTSA system.
6.5.1. TSA Subscriber Obligations
Subscriber shall:
validate the Zaba QTSA electronic signature on the Qualified time-stamp received and verify the validity of the Zaba QTSA Certificate.
6.5.2. TSA Relying Party Obligations
Reasonable reliance shall be considered a decision by the Relying Party to rely on a time-stamp if at the time of reliance it has:
undertaken the necessary precautionary measures and used time-stamp for the purposes stipulated in this Practice Statement, that is, under circumstances in which reliance shall be reasonable and in good faith, and under circumstances known or that should have been known to the Relying Party prior to relying on a time-stamp,
validate the electronic time-stamp signature and the integrity of the time-stamp,
Zagrebačka banka d.d. – Qualified Electronic Time-Stamping Authority Practice Statement
v1.2 from 10.9.2019. page 14
PUBLIC
validity and revocation of Zaba QTSA certificate,
used the application solution and IT environment on which it may rely.
Long time verification of time-stamps
Usually, a time-stamp becomes unverifiable beyond the end of the validity period of the certificate from the TSU, because the CA that has issued the certificate does not usually warrant any more providing revocation status information for expired certificates.
If at the time of verification:
the TSU private key has not been compromised at any time up to the time that a relying part verifies a timestamp;
the hash algorithms used in the time-stamp exhibits no collisions at the time of verification; and
the signature algorithm and signature key size under which the time-stamp has been signed is still beyond the reach of cryptographic attacks at the time of verification;
then verification of a time-stamp can still be performed beyond the end of the validity period of the certificate from the TSU.
The Relying part who has not abided by the regulations and this Practice Statement, and has not acted in accordance with the obligations and responsibilities referred to in this Section shall alone carry the risks for reliance on such a certificate.
6.6. Liability
Except for representations and warranties explicitly written in Section 9.6. of Certificate Policy for Qualified Trust Services, Bank as Qualified Trust Services provider shall not be liable for damage, including indirect damage or for any loss of profit, loss of data or other indirect damage related to Qualified Trust Services, specifically Bank is not liable for any damage caused by non-compliance with representations and warranties other PKI participants from Section 9.6. of Certificate Policy for Qualified Trust Services.
Bank shall not be liable for damage, including indirect damage or any loss of profit, loss of data or other indirect damage related to Qualified Trust Services, caused by using time-stamps from other providers, or using Bank's Qualified Electronic Time Stamps not in compliance with time-stamp usage from this Practice Statement Section 1.4.1..
Zagrebačka banka d.d. – Qualified Electronic Time-Stamping Authority Practice Statement
v1.2 from 10.9.2019. page 15
PUBLIC
7 TSA MANAGEMENT AND OPERATION
7.1. Introduction
Zaba QTSA issue Qualified Electronic Time Stamp for Subscribers for EU Qualified certificates for electronic signature and seal only.
Each time-stamp issued by Zaba QTSA contains a TP OID-a unique identifier for this Practice Statement document.
The time in the Zaba QPKI system shall be synchronised with UTC time (external time source supplied with satellite GPS synchronization). Zaba QPKI audit logs shall contain the accurate data about the date and time they originated, with a minimal deviation of less than +/- 1 second.
In the event of unavailability of the satellite signal for any reason, Zaba QTSA automatically switches to work with an internal time source that ensures the default accuracy in relation to actual UTC time for a maximum of 24 hours from the beginning of the unavailability satellite signal.
Zaba QTSA accepts the following hash algorithm in a time-stamp request:
sha-256 (OID: 2.16.840.1.101.3.4.2.1) .
7.2. Internal Organisation
Trusted roles shall comprise the basis of trust in Zaba QPKI and shall be assigned to authorised employees from competent Bank organizational units. Each trusted role shall be documented with a clearly defined description of tasks and responsibilities.
Trusted roles shall include the roles of Security Officer, System Administrator, System Operator, Registration Officer, Revocation Officer and System Auditor.
Zaba QPKI tasks shall be performed exclusively by authorised persons and with sufficient number of full-time employees with knowledge, experience and qualifications.
The most critical functions are carried out with procedures based on "four eyes" control and a strong authentication process.
7.3. Personnel Security
Based on job descriptions for Zaba QPKI, candidates must possess the appropriate expert knowledge, experience, qualifications and education for work with cryptographic technologies, protection of computer systems, IT security and protection of personal data.
Employees working at Zaba QPKI shall not be employed nor have any business relationship with other Qualified Trust Service Providers.
Prior to starting work at jobs in Zaba QPKI, Bank shall carryout adequate candidate checks in order to assess their expertise, ability and reliability in accordance with the needs of Zaba QPKI tasks.
Employees carrying out tasks within Zaba QPKI shall be provided with education and training in accordance with their trusted roles.
Renewal of knowledge of Zaba RA employees, given the jobs they perform, shall be conducted regularly, at least once every two years.
In case of unauthorized actions or other violations of the policies and procedures of the Bank, the appropriate disciplinary measures are decided and are commensurate with the frequency and severity of actions.
For external contractors who carry out some of the services within the scope of Qualified Certificate issuance services for Bank, the same requirements as those that apply to internal employees shall apply when working in Zaba QPKI.
The documentation required for the implementation of their work tasks according to the roles assigned and pertaining authorisations shall be supplied to each employee.
7.4. Asset Management
All information system components used within the service are clearly identified, inventoried and classified in terms of security and importance for the business.
Media containing archive and backup of Zaba QPKI data in electronic form, copies of repository content and software backup, shall be stored in two separate, protected locations with set-up fire prevention and protection and secured against floods. This media shall also be protected against damage, theft and unauthorised
Zagrebačka banka d.d. – Qualified Electronic Time-Stamping Authority Practice Statement
v1.2 from 10.9.2019. page 16
PUBLIC
access. Data from disposed media is securely deleted, either by an electronic erase of the data or by physically destroying the disposed media.
7.5. Access Control
Any access to a resource is done through a controlled process involving the participation of managers and process owners. The need to know principle and the separation of duties principle are respected. Periodically, the existing access rights are checked to determine whether they are appropriate.
Different security layers in relation to physical and logical access ensure a secure operation of the time-stamping service. For instance:
secured physical environment,
segregation of duties,
network segmentation using firewalls,
information system monitoring,
hardening of information system components.
The PKI is logically separated from other IT infrastructure of the Bank and has its own network equipment (switches, firewalls), physical servers and virtual machines, management console.
7.6. Cryptographic Controls
7.6.1. General
Zaba QCA certificate for time-stamping service is a NCP+: Normalized Certificate using a secure cryptographic device (HSM – FIPS 140-2 level 3) for time-stamp service and it is in compliance with ETSI/EN 319 411-3 and can be used for issuing Qualified time-stamps only. This certificate guarantees electronic identity for Zaba QTSA service.
Extension keyUsage for this certificate is critical and value is set on digitalSignature and nonRepudation, and has additional extension extKeyUsage mark as critical and value is set on timeStamping.
Qualified time-stamps issued by Zaba QTSA may be used for any purpose requiring evidence of the existence of a particular data in electronic form in the time specified in the issued time-stamp and should provide long term validity for electronically signed or sealed documents.
7.6.2. TSU Key Generation
The TSU uses a RSA key pair with a length of 2048-bit, issued by Zaba QCA. This key pair is used only for signing time-stamps.
All cryptographic modules are associated with the same public key certificate.
a) The generation of the TSU's signing key(s) is undertaken in a physically secured environment (see Section 7.8) by personnel in trusted roles (see Section 7.3), under at least, the control of two trusted personnel. The personnel authorized to carry out this function is limited to those required to do so under the TSA’s practices.
b) The generation of the TSU's signing key(s) is carried out within a cryptographic module which is conformant to FIPS PUB 140-2, level 3.
c) The TSU key generation algorithm, the signature algorithm, the length of the key used to sign the time-stamps, is in accordance with the current technical state of art as being fit for the signing of time-stamps issued by the TSA.
7.6.3. TSU private key protection
The key is generated and exists throughout its entire lifetime in a physically and electromagnetically protected electronic environment. The hardware security modules used by Certification Authorities comply with the FIPS PUB 140-2, level 3 standard. The digital signature is created using the RSA algorithm in combination with the SHA-256 cryptographic summary.
The dual-control access is achieved through the distribution of shared secrets to licensed operators.
The secrets are stored on cryptographic cards or tokens, protected by a PIN and shall be protected by employees with trusted roles.
Backup of encrypted private keys shall be carried out in Zaba QPKI protected zones and shall be initiate by authorised person, under dual control. Backup of these encrypted private keys shall be stored in Zaba QPKI protected zones at separate locations. The number of backup Qualified Certificate private keys shall not exceed the number essential for securing the continuity of services.
Zagrebačka banka d.d. – Qualified Electronic Time-Stamping Authority Practice Statement
v1.2 from 10.9.2019. page 17
PUBLIC
7.6.4. TSU public key certificate
The TSA guarantees the integrity and authenticity of the TSU signature verification (public) keys as follows:
TSU signature verification (public keys) are available to relying parties that trust in a public key certificate. The certificates are published in the following link: https://www.zaba.hr/cps
The TSU does not issue a time-stamp before its signature verification (public key). When the certificate is loaded in the TSU, the TSA verifies that the certificate was duly signed (including verification of the certificate chain of a trusted certification authority).
Validity information regarding the TSU certificates is updated periodically on CRLs or OCSP services are available with the references located in the certificates.
7.6.5. Rekeying TSU's key
The keys of the TSU shall have a maximum operating life of 10 years. The duration of the TSU class is limited by:
period of validity of Zaba QCA certificate,
once a year or when significant changes occur, Bank verifies all cryptographic algorithms used in the TSA checking that each algorithm is recognized as suitable.
If an algorithm enters a situation of risk it shall no longer be considered as adequate, Security Manager shall initiate revoke of that certificate/keys and issuing new one.
7.6.6. Life cycle management of signing cryptographic hardware
Zaba QTSA assures that:
integrity of the cryptographic security modules was not affected during their transport and storage, prior to their installation,
cryptographic hardware are installed, managed and operated by trusted personnel in Zaba QPKI protected zones,
cryptographic security modules work correctly,
private signing keys stored on the cryptographic security modules are destroyed the moment it is taken out of production.
7.6.7. End of TSU key life cycle
Zaba QTSA TSU private key and certificate has validity time of 10 years.
Zaba QTSA TSU private signing keys shall not be used beyond the end of their validity period. Zaba QCA shall issue new private key and certificate for Zaba QTSA before end of validity period.
After expiration TSU private signing keys, or any key part, including any copies shall be destroyed such that the private keys cannot be retrieved.
7.7. Time-Stamping
7.7.1. Time-Stamp issuance
For each qualified electronic time-stamp, it shall be ensured that:
it includes the OID of this Policy under which it was issued (QTP OID);
it includes a unique identifier;
the time used in TSU may be matched to the actual time received from a reliable source;
it includes accurate time information provided by TSU at the time of issuing the electronic time-stamp;
it includes a hash representation of the electronic record for which an electronic time-stamp is to be issued;
it is signed using a TSU private key intended solely for the purpose of time-stamp signing;
it includes the identifier of the country where Zaba QTSA is established;
it includes the identifier for Zaba QTSA; and
it includes the identifier of the issuing TSU.
An electronic time-stamp shall be issued as recommended by ITF RFC 3161 and ETSI EN 319 421, with a profile compliant with ETSI EN 319 422.
Zagrebačka banka d.d. – Qualified Electronic Time-Stamping Authority Practice Statement
v1.2 from 10.9.2019. page 18
PUBLIC
7.7.2. Clock synchronization with UTC
As a Qualified Electronic Time-Stamping Service Provider, Bank provide accurate information of the time incorporated in an electronic time-stamp. The UTC time incorporated in each electronic time-stamp has a guaranteed accuracy of 1 s.
Bank shall ensure that the Zaba QTSA system’s time is correctly synchronized with the UTC time within the accuracy limits, in particular by:
periodic clock calibrations;
protecting against TSU time tampering;
detecting any drifts or jumps out of synchronization with the UTC time, and
providing for leap second events.
The primary reliable source of UTC time in the Zaba QTSA system is the satellite GPS signal.
As an alternative reliable source of UTC time, the Zaba QTSA system utilizes UTC data obtained through an Internet connection using the NTP protocol that enables synchronization with the reliable source of the UTC time of reference laboratory.
In case of unavailability of the primary reliable source of UTC time Zaba QTSA system automatically switches to the alternate reliable source of UTC time.
7.8. Physical and Environmental Security
Every entry to Zaba QPKI protected zones shall be subject to independent oversight and non-authorized person shall be accompanied by an authorized person whilst in the secure area. Every entry and exit shall be logged.
Physical access to registered Subscriber data collected by the Zaba RA shall be granted only to Zaba QPKI authorised personnel and authorised Zaba RA employees, who collect, store, use and delete personal data of natural persons in accordance with adequate legislation on personal data protection.
Physical security consist of:
CCTV – video surveillance,
physical access control,
anti-burglary system,
physical guards and firemen.
All alerts and events are forwarded to 24x7 security operations center.
7.9. Operation Security
Bank has implemented a mature system of system and security controls to ensure service quality and availability. These controls are:
analysis of security requirements is integrated in change and project management in Bank to ensure that security is built into the information technology's systems,
change control procedure, applied for modifications and corrections of the software and software configurations (i.e. firewall rules),
integrity of Bank’s information system is protected against viruses, malicious and unauthorized software,
identity and access control are managed centrally, integrated with human resources processes,
segregation of duties, according to their role within the system,
log archiving operations performed on a computer and data necessary audit,
patch management is implemented accross whole information system,
capacity demands shall be monitored and projections of future capacity requirements made to ensure that adequate processing power and storage are available.
7.10. Network Security
The Zaba QPKI infrastructure uses a layered defense approach, by placing servers and appliances on different network levels, separated by firewall, which allow only authorized communication flows.
The procedures to configure network components ensure the management of changes, the restriction of access to the components, prevention of unauthorized accesses/improper changes to the configurations.
Zagrebačka banka d.d. – Qualified Electronic Time-Stamping Authority Practice Statement
v1.2 from 10.9.2019. page 19
PUBLIC
The configuration procedures of network components ensure:
the management of configurations changes,
restricting access to components using a least privilege principle,
prevention of improper or unauthorized accesses or changes.
The certification service uses a network-based security infrastructure firewalling mechanisms and TLS (Transport Layer Security) in order to realize a secure channel between all communication parties. All network flows (protocols, source, destination) moving between different security domains are identified, classified and
authorized. The system is also supported by specific security products (network intrusion detection, network intrusion protection, malware protection) and from all the relevant management procedures.
Periodically or after every significant change a penetration testing of the infrastructure is carried out.
7.11. Incident Management
New types of security incidents are revealed every day. Preventive activities based on the results of the risk assessment may reduce the number of incidents, but they cannot be prevented completely. The possibility of a reaction is therefore necessary for the rapid detection of incidents, the mitigation of their consequences, the management of vulnerabilities that have been abused, and the return of the functionality of the service involved in the incident.
The key elements of emergency management consist of:
evaluation of events, incidents and crisis situations;
o classification of events,
o application of specific progressive levels of emergency situations,
o determination of impact levels,
defining the level of emergency for escalation,
roles due to escalation,
organisational model.
The information on the security events is classified as "confidential", and the data on security incidents is classified as "strictly confidential".
7.12. Collection of evidence
The audit logging procedures on Zaba QPKI components are carried out using the audit log journal that automatically logs events relevant for security. The audit log journal is hosted on servers in protected zones. In particular, the information stored within the audit log journal are:
management of life cycles of Zaba QCA keys of Zaba QPKI,
registration data of a natural and legal person,
management of lifecycles of TSU keys and certificates within Zaba QTSA,
synchronization of the TSU clock with UTC,
detection of any UTC time synchronization failure,
physical security access to and alarms from dedicated Zaba QPKI protected zones.
Audit logs from Zaba QTSA are available for 12 months online and will be arhived in order to provide proof of the certification in judicial proceedings even in the event of Zaba QTSA termination.
Audit logs in Zaba QPKI shall be regularly inspected on a daily basis.
7.13. Business Continuity Management
The Business Continuity Plan for Zaba QPKI shall regulate the procedures in the event of the occurrence of incidents or system compromise and shall be revised once a year.
In reference to the Zaba QPKI, the following are considered critical incidents:
compromise of Zaba QCA private keys and HSM devices that contain private keys,
compromise of Zaba QTSA private keys and HSM devices that contain private keys,
malfunctions or damage to equipment and network resources of Zaba QPKI,
compromise of used cryptographic algorithms,
failure to publish certificate status (CRL and OCSP),
Zagrebačka banka d.d. – Qualified Electronic Time-Stamping Authority Practice Statement
v1.2 from 10.9.2019. page 20
PUBLIC
natural disasters (fire, earthquake, flood, …) and other disasters (epidemic, terrorism, …).
In order to reduce the interruptions of business activities and the protection of critical business processes from the impact of failures or disasters on operating systems and databases, the management of the business continuity system is implemented to minimize impact on the organization in case of loss of property and ensure the continuity of operations and business processes by implementing measures that increase information system resistance and mitigate external impacts on human resources, business premises or external suppliers.
The process of managing the business continuity system and integration of information infrastructure protection into business activities is prescribed by the internal procedure of the Bank.
Critical business processes, their recovery parameters in case of interruption, and the resources needed during recovery are defined by updating business impact analysis at least once a year. Any changes to the information system that have an impact on the management of business continuity system must be updated in their own documentation, as well as in the relevant internal acts in that area, which are:
Business impact analysis,
Risk assessment of crisis situation,
Business continuity Strategy,
Procedure for crisis management in the field of protection,
Business continuity plan,
Business continuity plan in the case of pandemic,
Disaster recovery plan.
To enable business continuity in crisis situations, the engagement of the managers of critical business functions is essential, which with preventive activities and communication to clients, employees and external contracting companies shall ensure the purpose and effectiveness of the recovery procedures that make up Bank’s business continuity plan.
7.14. TSA termination and termination plans
About the planned termination of providing qualified trust services, Bank shall:
notify all Subscribers, Relying parties and national authority at least three months before the planned termination of providing qualified trust services,
invest efforts to continue providing qualified trust services by another Qualified Trust Service Provider and shall forward to this service provider all documentation collected in the Subscriber registration procedure, as well as all documentation about issued certificates.
In case that Bank cannot provide continue of service with other Qualified Trust Service Provider, Bank shall:
revoke all issued qualified certificates and destroy Subscriber’s private keys in cases where Bank keeps and manages the Subscriber’s keys,
revoke the CA certificates and destroy their related private keys,
revoke the TSU certificates and destroy their related private keys.
In the event of termination to provide qualified certificate issuance services, Bank shall archive, protect and keep records according to this Certification Practice Statement, so that the records shall be accessible for providing evidence to court, administrative and other proceedings in accordance with the valid provisions of legislation, or Bank shall contract such archiving, protection and keeping of records by another legal person.
7.15. Compliance
Supervision over the work of Bank as a Qualified Trust Service Provider shall be regulated by Regulation (EU) No 910/2014 and Act Implementing Regulation (EU) no. 910/2014, and shall be carried out by national supervision authority.
Supervision over the work of Qualified Trust Service Providers in the field of collection, use and protection of a Signatory's personal data may also be carried out by government and other bodies determined by law and other rules and regulations governing personal data protection.
Compliance audit shall be carried out with the aim of confirming that Bank as a Qualified Trust Service Provider and Qualified Certificates issuance services provided by Bank, meets the requirements stipulated in Regulation (EU) No. 910/2014, Act Implementing Regulation (EU) no. 910/2014 correspondenting HRN ETSI/EN standards.
The topics of compliance assessment shall include the following areas of providing Trust Services:
integrity and accuracy of documentation,
Zagrebačka banka d.d. – Qualified Electronic Time-Stamping Authority Practice Statement
v1.2 from 10.9.2019. page 21
PUBLIC
implementation of requirements for Qualified Trust Services,
organisational processes and procedures,
technical processes and procedures,
implementing information security measures,
trustworthy systems,
physical security at subject locations.
The description of the topics of compliance assessment shall be defined in the compliance assessment plan.
